Request Format

  • Method: POST
  • Headers:
    • Content-Type: application/json
    • X-Signature: HMAC SHA256 signature

Events and Payloads

record.flagged

{
  "event": "record.flagged",
  "payload": {
    "entity": "string",     // Content type (e.g., post, comment)
    "clientId": "string",   // Your unique record identifier
    "user": {
      "protected": boolean  // Optional flag for protected users
    }
  },
  "timestamp": "string"     // Unix timestamp in milliseconds
}

record.unflagged

{
  "event": "record.unflagged",
  "payload": {
    "entity": "string",
    "clientId": "string",
    "user": {
      "protected": boolean
    }
  },
  "timestamp": "string"
}

user.suspended

{
  "event": "user.suspended",
  "payload": {
    "clientId": "string" // Your unique user identifier
  },
  "timestamp": "string"
}

user.compliant

{
  "event": "user.compliant",
  "payload": {
    "clientId": "string"
  },
  "timestamp": "string"
}

user.banned

{
  "event": "user.banned",
  "payload": {
    "clientId": "string"
  },
  "timestamp": "string"
}

Security

Signature Verification

Verify the X-Signature header using HMAC SHA256:

import crypto from "node:crypto";
const body = JSON.stringify(req.body);
const signature = req.headers["x-signature"];
const secret = process.env.IFFY_WEBHOOK_SECRET;

const hash = crypto.createHmac("sha256", secret).update(body).digest("hex");

if (hash !== signature) {
  return res.status(401).send("Invalid signature");
}

Retry Logic

  • We do not currently retry webhooks